Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

1

Chorme_ins...03.msi

windows7-x64

6

Chorme_ins...03.msi

windows10-2004-x64

6

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2024, 05:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Chorme_installer_v56.58.03.msi

  • Size

    37.2MB

  • MD5

    2e859514e7c8e73b276d5f0cbe5a7cca

  • SHA1

    2d46ba837702a6f11bed1a6298b7fd443feb8c63

  • SHA256

    9c9aca6b60e90876f4c2727ecfb5ec5021586f830dee3da064f9d99605410d15

  • SHA512

    5a00b43861009cf82708167b263965cad7a327bbcb2bd01c3c1bcc1e6793ef75aa5fe8035a54e9f502cac5b7aa3a92b251d53481eff15b04870a3d07aa27d257

  • SSDEEP

    786432:Pib1xBH1OwK5d+coZlrR0GiuskPuJJNJUON8y+cv+1dnnZZ8bbiqbBP0:Kb1X1O/d+co3ODJNJV8fcva9nZZmi6

Score
6/10
discoveryevasionpersistenceprivilege_escalationspywarestealertrojan

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 1 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks system information in the registry 2 TTPs 2 IoCs

    System information is often read in order to detect sandboxing environments.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 27 IoCs
  • Loads dropped DLL 40 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 11 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Chorme_installer_v56.58.03.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1908
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3220
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 7D4733EBA5871D80CF3BD84FADAD258A C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:4796
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:1100
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding B8601F777EEE894A8C1DD055525601FD
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:4768
      • C:\Windows\System32\MsiExec.exe
        C:\Windows\System32\MsiExec.exe -Embedding 8EF01A6D85E153919880A0B705B73CA8
        2⤵
        • Loads dropped DLL
        PID:1240
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:4972
    • C:\Program Files (x86)\Chrome installer\Chrome installer\Chrome installer\ChromeSetup.exe
      "C:\Program Files (x86)\Chrome installer\Chrome installer\Chrome installer\ChromeSetup.exe"
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1116
      • C:\Program Files (x86)\Google1116_1944656391\bin\updater.exe
        "C:\Program Files (x86)\Google1116_1944656391\bin\updater.exe" --install=appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={E3E33FF1-3FAE-A583-1DCE-92112BD2D53D}&lang=zh-CN&browser=4&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2
        2⤵
        • Drops file in Program Files directory
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4420
        • C:\Program Files (x86)\Google1116_1944656391\bin\updater.exe
          "C:\Program Files (x86)\Google1116_1944656391\bin\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\129.0.6651.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=129.0.6651.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x294,0x298,0x29c,0x270,0x2a0,0x12b06cc,0x12b06d8,0x12b06e4
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2700
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --from-installer
          3⤵
          • Checks computer location settings
          • Checks system information in the registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Enumerates system info in registry
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:3016
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=129.0.6668.89 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff9bf57bf8,0x7fff9bf57c04,0x7fff9bf57c10
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:3004
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations=is-enterprise-managed=no --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1944,i,18092776506555985511,13496736557557266528,262144 --variations-seed-version --mojo-platform-channel-handle=1940 /prefetch:2
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:3524
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=2188,i,18092776506555985511,13496736557557266528,262144 --variations-seed-version --mojo-platform-channel-handle=2216 /prefetch:3
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:3128
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --field-trial-handle=2360,i,18092776506555985511,13496736557557266528,262144 --variations-seed-version --mojo-platform-channel-handle=2528 /prefetch:8
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:3420
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,18092776506555985511,13496736557557266528,262144 --variations-seed-version --mojo-platform-channel-handle=3196 /prefetch:1
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Loads dropped DLL
            PID:1580
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3168,i,18092776506555985511,13496736557557266528,262144 --variations-seed-version --mojo-platform-channel-handle=3364 /prefetch:1
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Loads dropped DLL
            PID:1608
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4508,i,18092776506555985511,13496736557557266528,262144 --variations-seed-version --mojo-platform-channel-handle=4536 /prefetch:1
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Loads dropped DLL
            PID:3396
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4560,i,18092776506555985511,13496736557557266528,262144 --variations-seed-version --mojo-platform-channel-handle=4724 /prefetch:1
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Loads dropped DLL
            PID:1072
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4892,i,18092776506555985511,13496736557557266528,262144 --variations-seed-version --mojo-platform-channel-handle=4972 /prefetch:8
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:3680
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4688,i,18092776506555985511,13496736557557266528,262144 --variations-seed-version --mojo-platform-channel-handle=5100 /prefetch:8
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:4408
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5136,i,18092776506555985511,13496736557557266528,262144 --variations-seed-version --mojo-platform-channel-handle=5404 /prefetch:8
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:2264
    • C:\Program Files (x86)\Google\GoogleUpdater\129.0.6651.0\updater.exe
      "C:\Program Files (x86)\Google\GoogleUpdater\129.0.6651.0\updater.exe" --system --windows-service --service=update-internal
      1⤵
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1604
      • C:\Program Files (x86)\Google\GoogleUpdater\129.0.6651.0\updater.exe
        "C:\Program Files (x86)\Google\GoogleUpdater\129.0.6651.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\129.0.6651.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=129.0.6651.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x5506cc,0x5506d8,0x5506e4
        2⤵
        • Drops file in Program Files directory
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3304
    • C:\Program Files (x86)\Google\GoogleUpdater\129.0.6651.0\updater.exe
      "C:\Program Files (x86)\Google\GoogleUpdater\129.0.6651.0\updater.exe" --system --windows-service --service=update
      1⤵
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1104
      • C:\Program Files (x86)\Google\GoogleUpdater\129.0.6651.0\updater.exe
        "C:\Program Files (x86)\Google\GoogleUpdater\129.0.6651.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\129.0.6651.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=129.0.6651.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x5506cc,0x5506d8,0x5506e4
        2⤵
        • Drops file in Program Files directory
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1944
      • C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1104_1270734753\129.0.6668.89_chrome_installer.exe
        "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1104_1270734753\129.0.6668.89_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1104_1270734753\2e27171d-7d3e-451c-94e0-692bdbd3e948.tmp"
        2⤵
        • Drops file in Program Files directory
        • Executes dropped EXE
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:1704
        • C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1104_1270734753\CR_081F4.tmp\setup.exe
          "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1104_1270734753\CR_081F4.tmp\setup.exe" --install-archive="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1104_1270734753\CR_081F4.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1104_1270734753\2e27171d-7d3e-451c-94e0-692bdbd3e948.tmp"
          3⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Drops file in Program Files directory
          • Executes dropped EXE
          • System Network Configuration Discovery: Internet Connection Discovery
          • Modifies data under HKEY_USERS
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2372
          • C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1104_1270734753\CR_081F4.tmp\setup.exe
            "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1104_1270734753\CR_081F4.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=129.0.6668.89 --initial-client-data=0x270,0x274,0x278,0x240,0x27c,0x7ff7626b9628,0x7ff7626b9634,0x7ff7626b9640
            4⤵
            • Executes dropped EXE
            PID:4788
          • C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1104_1270734753\CR_081F4.tmp\setup.exe
            "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1104_1270734753\CR_081F4.tmp\setup.exe" --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
            4⤵
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • Executes dropped EXE
            • Modifies data under HKEY_USERS
            • Suspicious use of WriteProcessMemory
            PID:3740
            • C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1104_1270734753\CR_081F4.tmp\setup.exe
              "C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1104_1270734753\CR_081F4.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=129.0.6668.89 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff7626b9628,0x7ff7626b9634,0x7ff7626b9640
              5⤵
              • Executes dropped EXE
              PID:2344
    • C:\Program Files\Google\Chrome\Application\129.0.6668.89\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\129.0.6668.89\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:5032
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
      1⤵
        PID:5004
      • C:\Program Files (x86)\Google\GoogleUpdater\129.0.6651.0\updater.exe
        "C:\Program Files (x86)\Google\GoogleUpdater\129.0.6651.0\updater.exe" --system --windows-service --service=update
        1⤵
        • Drops file in Program Files directory
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1028
        • C:\Program Files (x86)\Google\GoogleUpdater\129.0.6651.0\updater.exe
          "C:\Program Files (x86)\Google\GoogleUpdater\129.0.6651.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\129.0.6651.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=129.0.6651.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x5506cc,0x5506d8,0x5506e4
          2⤵
          • Drops file in Program Files directory
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2616

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Active Setup

      1
      T1547.014

      Event Triggered Execution

      2
      T1546

      Component Object Model Hijacking

      1
      T1546.015

      Installer Packages

      1
      T1546.016

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Active Setup

      1
      T1547.014

      Event Triggered Execution

      2
      T1546

      Component Object Model Hijacking

      1
      T1546.015

      Installer Packages

      1
      T1546.016

      Defense Evasion

      Modify Registry

      1
      T1112

      System Binary Proxy Execution

      1
      T1218

      Msiexec

      1
      T1218.007

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Browser Information Discovery

      1
      T1217

      Peripheral Device Discovery

      2
      T1120

      Query Registry

      6
      T1012

      System Information Discovery

      7
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Config.Msi\e57c257.rbs
        Filesize

        27KB

        MD5

        80fa2eb9331a41756fcf5fa42ca966d2

        SHA1

        64eca0b197048a592b8d2ad9545284fc6f368f34

        SHA256

        58cbea67259a04e0e89b5b485e853a2f3d8aa9e60090ce109d103fc5a27ef95c

        SHA512

        3a62f434f714a9b4e2fd3cba5debecc6892ed7867caccc016ddd216c60830da0321f8e72dab5e119039188765fb1fa4539a350e9bd2622209416e1c9b3985608

        Download Submit

      • C:\Program Files (x86)\Chrome installer\Chrome installer\Chrome installer\ChromeSetup.exe
        Filesize

        8.5MB

        MD5

        de260e35ba7e1808f0ee333cb32b8768

        SHA1

        d4ca48740744fc40be1a927cf0aabcf89be2328d

        SHA256

        2b89346f2daf99a25b27c85d62d96c7e14ec5b4eb547e59b59349ad990e66612

        SHA512

        b0b36f6a07ce4ce3c5b35d082efe5a51c0bb936f4ed359aa2687fbc480157a78b9b81a450531f479c1c69a96d1204f2227235e2b7150a3b60bf8b4b0585ad066

        Download Submit

      • C:\Program Files (x86)\Google1116_1944656391\bin\updater.exe
        Filesize

        4.7MB

        MD5

        a1361c84ae51ae71617978842d129712

        SHA1

        b4aa7a27da802454cc1a06d49020ef5f85096dad

        SHA256

        c06bf6776aa78e9aa48f7b1f19ae9b77b7e3277066003c653ab501304d8c2f10

        SHA512

        eb4bd87f78a16ea215c067781d664837bb8e1dd50c59a66dd4f7ed1fda13cd16741c3f351b319ecb9d63c2b9d99695fc0e0f15a3f22ece8bb02bfef5c8a2f99d

        Download Submit

      • C:\Program Files (x86)\Google\GoogleUpdater\129.0.6651.0\Crashpad\settings.dat
        Filesize

        40B

        MD5

        97ba4f8fc37f6f8a769b02881589a3b4

        SHA1

        7a88dd4fe9b0b40a6e4625cf09cfe3a5afe0024a

        SHA256

        981d7d6ad31201a38b27b708f2c6956ea7bb30086783dd5a12105f5d20d491fd

        SHA512

        dc61e96604853dc56377b6061849a11bf699cc7831b9f8cb6eb58510c731d4d0f1bc0438a31bc5782a96d8c6c86ea9cc9aaf0a4b9322131316b651ffc4b9fc23

        Download Submit

      • C:\Program Files (x86)\Google\GoogleUpdater\prefs.json
        Filesize

        511B

        MD5

        03ce9142b6ed4bc4285ab9948fe4dd88

        SHA1

        f29f356bb421361b242bfd57acb533522b2de4e2

        SHA256

        907fe1df7152124a3630736f9d5e625a4dc5d26393f6d4b6c1901e5b42209396

        SHA512

        e16cbac9e9c0081ef167555290d797b70fb072da8c151164fde906310ea9b2cb6f4be6aaa1f71c33cbab6c2c6c3c6183718999d312a2b2479bd6ac5dfe8cf80c

        Download Submit

      • C:\Program Files (x86)\Google\GoogleUpdater\prefs.json
        Filesize

        610B

        MD5

        a15f613d258bf11a76458c77f2cc22d9

        SHA1

        03c04c2744d5cfe4f9754e05f0f0c30de64a7ca0

        SHA256

        30aad83f9afb54e90028905330b0757144b6a5364d363acd54de5a6448466f0b

        SHA512

        1391bb74560a10af9611e649c3d505451e8a7692c3ed23a780e6bedd83f90aa4a4805ff1eefe014261d0c883f9a62d984f66502e4a641a418e3cde54d5cb95e8

        Download Submit

      • C:\Program Files (x86)\Google\GoogleUpdater\prefs.json
        Filesize

        354B

        MD5

        04831982e260c4237ad64c96c00f179a

        SHA1

        dd5238f72ab6550a91dfc6f185ba7df3dab55912

        SHA256

        6ee1418c440156a58504bbc3419be33aa266b7917d1751478c29667f30cc9983

        SHA512

        5466b8dde7b38dbb9c4540fa63aa6a4976bbd71edcd7a14bbc23221c6c0ec9eb69672eb063a5267452e4a9d1c04c32c2f98c6a3142c3ec55e64167b9c8f4da98

        Download Submit

      • C:\Program Files (x86)\Google\GoogleUpdater\prefs.json
        Filesize

        49B

        MD5

        aecbd8fe3f7b64ddf70a33b920fd4bb4

        SHA1

        e4225361cb957a152b9fa94b060bad56ca0fc4ed

        SHA256

        8bb68574186a8c571e687af459dc5917a5fe2fb8ead1048e6286e74a87ad06a3

        SHA512

        0ff0f418a15f6fa0230cd5277003620ec13b87bb3f00dda64453fbeacecc0c1d0d3c5d0697692b1fb6be0be8cff03c919bc10589bc7685983bfdfe859273a4bf

        Download Submit

      • C:\Program Files (x86)\Google\GoogleUpdater\prefs.json
        Filesize

        610B

        MD5

        c05fc762b508c70f99f3b691c491126e

        SHA1

        c160a271cc91796e9152d0c3992fe0c0962d0c8d

        SHA256

        ba175fbb36aa6c3d74d905d0e9890cf4b0991fdcb47b9cc3677eb40bcf060c4f

        SHA512

        61a199d0e72aba62f0430b820df4505a16773b9c16f2f2df68e9fa062d0bd44e87c4bd45c46ccc4ae86b449f83a909f418c0d1e92386c4c95d5467475def67a8

        Download Submit

      • C:\Program Files (x86)\Google\GoogleUpdater\updater.log
        Filesize

        9KB

        MD5

        ae5e8939fef9eee88adf66a86913a431

        SHA1

        b8d5bc26e52a1aa75991d85d3c50b433ebcfdc60

        SHA256

        d80b1c30d7b9d023c43fd860a77cd1a41522b8096f8c2a4f744210d1fd1d858c

        SHA512

        59c3861dd6cfe62a9f3a3fad2218fc17ea6ae9f83573b63cc5b63a62c5b4f3dcfa888b37a4331a4cd4d76e1cf503ed73e10743338309597c06c179619b69ffaa

        Download Submit

      • C:\Program Files (x86)\Google\GoogleUpdater\updater.log
        Filesize

        10KB

        MD5

        0fea57b940e5470e49e6cd6c2bec5157

        SHA1

        b8ce235a66416f42fe93f379e2d1177e5b34bf1e

        SHA256

        5861ed8ae1ef741c1ec45a6f2654d83c6ab40f8ba265aac0d35aa51362f80abd

        SHA512

        3c5be265317f8ad1ed838184358cc504eb059b32e757730b84342cee2bef1f0553a906fc504c2afebe76768a32c80560e421e20300a653989e7096c3205b359b

        Download Submit

      • C:\Program Files (x86)\Google\GoogleUpdater\updater.log
        Filesize

        1KB

        MD5

        a72f71fc1a5673eafbd48be40e8b47de

        SHA1

        ae4c775cd1317ebf31bb794457af5b7a66fd0a6d

        SHA256

        5bdefae4114e1b3fb1ca0bdafc3cf5bb8e43cedd6ce875ee48806012b6dfdce6

        SHA512

        98747b85a992ddba08a37647db1c7e82d140d23255c164632c839484e226103a380ee061c5c98cceafddcf58fa7f6afaf97e0db6a171d281a9c8621ff5db841c

        Download Submit

      • C:\Program Files (x86)\Google\GoogleUpdater\updater.log
        Filesize

        2KB

        MD5

        e513a37a9d5bfce3f63cad21a271d29f

        SHA1

        4dc9a9c0a8245367c4de3e5b97e1500f288e7a42

        SHA256

        65993bdeda5f4619e914ce5bc8017195de68fe4b2979b25e9eff537af1252224

        SHA512

        a8773503b5342f214401ac86c0bd289439a187f86803821fd845befee3a79df42559e2d59b3da86386828484c4f706025d44d4fb479ad7ed64ad4676d34d0994

        Download Submit

      • C:\Program Files (x86)\Google\GoogleUpdater\updater.log
        Filesize

        4KB

        MD5

        785c45e3b731e6e68abe28d523a9f992

        SHA1

        35c5893be64c045a39058bd2863db99c8cd51f43

        SHA256

        dabc3b7228a2360913fe4b16322f0c2acffc2331d31258bcc48480ff106cca31

        SHA512

        52099d3c5aa7a125991abf05ca729b3fd730f94c46370b8db06c5a1deb8f986512f52dfba713cff46a007b17a216dfd223ec4c0feca58ad62d344c6f24743e4a

        Download Submit

      • C:\Program Files (x86)\Google\GoogleUpdater\updater.log
        Filesize

        5KB

        MD5

        0d15b96fa4114ce96caa1267f756de06

        SHA1

        ffca9b9706b6e02c3bb720500d3ea5647556523c

        SHA256

        7f57da59495a7e74782046c3233f443b53dcbf6e03376a73c983e8e2d0b0a351

        SHA512

        1c169aebb02474fa4a8d0872b501489f5a32a08f1a5dbad82962dc3fd825d0cb67d88f71c809745a2f7890e92a3b00ba7a57df81dbba7b340224a88ebb26ea96

        Download Submit

      • C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1104_1270734753\2e27171d-7d3e-451c-94e0-692bdbd3e948.tmp
        Filesize

        679KB

        MD5

        377a006e7c7726b6f2a3f057b485cdec

        SHA1

        b6e9b7779e660cc534ac79b02e2f12a7a2665ea4

        SHA256

        43743afc098fc8a26bb0348077ac0c4b6dde20ce3dfb886be530a9bc9a80fe91

        SHA512

        e4be802a4dfd2c60150ac4b6690634e0b5ee8729bdd13fc9641cccb01b1fcf55ad114e36cefe25b712d1e7a77a35207e6d989928b9aa1ebb15c58ba964598ddc

        Download Submit

      • C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping1104_1270734753\CR_081F4.tmp\setup.exe
        Filesize

        5.8MB

        MD5

        b63e115a4f33267f7a305fe7872e97dc

        SHA1

        ddb5b122346a51959d12b1238cfa04fab4c8245c

        SHA256

        1b667499dbd68d571230bc1d064e92fd37d2326f7794da6c1418235ea723c918

        SHA512

        a202ada99933eb5164bc910e339ce41d8013155abd25e408dfcb37ea0a401b83c881573b571df2619d076d41e244e35d4ff6f40d5973317aa211d3549818adc0

        Download Submit

      • C:\Program Files\Google\Chrome\Application\129.0.6668.89\chrome_elf.dll
        Filesize

        1.2MB

        MD5

        61bc08ad1de19460a3cee27c5fa424c9

        SHA1

        ca60bf1702e9a9030936224571be9bb2f2c51273

        SHA256

        ec27f9daf2c120ab05020d0dcb43706bb4e6e501e0d82331e533abb13555f0c4

        SHA512

        b045ee342a627b33bc5d30f3fc4ed25ccd90d8ed48c3ed72ba383648a72bed2a3b6218df2ea5388ad4a0b75013b23df6216a20fa0b0055e55eec09fd6264e40e

        Download Submit

      • C:\Program Files\Google\Chrome\Application\chrome.exe
        Filesize

        2.6MB

        MD5

        a09827d40b13f9de3eb0ba4b143cfaf8

        SHA1

        c62e1d8fea6b7e1acadddee923d7ac5d9baa5c48

        SHA256

        e64bde7c7360c1988651c7d54649de922f68db7601faad170eb3b75bf3b024a5

        SHA512

        0a782648cbf480042d8b3bad213e980bdc5aa0b16c3f12f0a4491e7ba5760250d4f8662d10ea2f961490090032b9b0800352c9730975c2d06be17d0bc6df7aea

        Download Submit

      • C:\Program Files\chrome_installer.log
        Filesize

        21KB

        MD5

        e8827233f2d8032ff9a192c7a8db43ea

        SHA1

        b039f69477254c20cb837b874b9e254b30fe1f43

        SHA256

        14484f10271f0e2780512c7c68580268e3ad4c6189b77c7fce0b455acebbf3c1

        SHA512

        dedafb50724e72c6698f8508b9418ca1e59f1a0af45ff19b076768cca6106e4c6081d138a41f2f6625e0dde5b7614350a3f04ce1ff87abc0af2a0f68ac36cdc9

        Download Submit

      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
        Filesize

        649B

        MD5

        8f09777b0caeb5303a52eec4f56a617e

        SHA1

        3ed93e67f8c73749795013c20a19d57f497d8d98

        SHA256

        4bf17baca6bdf191f289fc7ddc07304cc0171ec51b52f7f5755d1f41895c1762

        SHA512

        f408cb69ece49c073d484c13cc95eb97da53651a4946ad249b331d52430da90eca25c90ad131a3713071521cc5e7c2d0ad31ceda91bc8ed333df55045af09919

        Download Submit

      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
        Filesize

        192KB

        MD5

        505a174e740b3c0e7065c45a78b5cf42

        SHA1

        38911944f14a8b5717245c8e6bd1d48e58c7df12

        SHA256

        024ae694ba44ccd2e0914c5e8ee140e6cc7d25b3428d6380102ba09254b0857d

        SHA512

        7891e12c5ec14b16979f94da0c27ac4629bae45e31d9d1f58be300c4b2bbaee6c77585e534be531367f16826ecbaf8ec70fc13a02beaf36473c448248e4eb911

        Download Submit

      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
        Filesize

        2KB

        MD5

        8566e772e5814ee0d4c3b148e73b23aa

        SHA1

        0ec73cd383a236a4fd0bf1605ab263457aa8ccc8

        SHA256

        34869476b0552e3a5b4b0e004b9f04c5de47f996191e0cb1394c8b7fb13f902e

        SHA512

        26c81f6385078d90efd041041b5a1828792d37068440f28012791ed218471b69adfbd98194df85ac3154b93ddba1e62b2a428944ddb362d3f07ce68a8ae7fef4

        Download Submit

      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
        Filesize

        2B

        MD5

        d751713988987e9331980363e24189ce

        SHA1

        97d170e1550eee4afc0af065b78cda302a97674c

        SHA256

        4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

        SHA512

        b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

        Download Submit

      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
        Filesize

        356B

        MD5

        70ddf94b42893b236bb8f5474e28ab87

        SHA1

        b1ae79b17d2887d68f0737d39dddc551df91012e

        SHA256

        42b9bb4f5e9fde7ea4fa18e227ec2d95755ef80d62e80a8bd66cb1fea50b9478

        SHA512

        64f6f632b9b88e37578435c6db4524c75c499eb0ea90bfd13d5d9b4c62fac5f6cb8def588d5a8caaa2ca1cf32f2a7aee6081534aae8702e9eba86bdde28de47a

        Download Submit

      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
        Filesize

        10KB

        MD5

        7b7b8d75d8a37df1d3b87fc55337c296

        SHA1

        c11357be4a6fab549d8fa0ff7269c2f3187c00a3

        SHA256

        7c6464ad3005f11b469c959e99ced59e9e1b226cb953500da95b2a3c313051a3

        SHA512

        407551e27005f7ce5a9d4ce26a6281daf74578169a962a3145248686452ea772dd3318f16eaeefb44ca92f1ce379f3b3d38fdb3a74ee6c86ab00689a18447622

        Download Submit

      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
        Filesize

        15KB

        MD5

        726c67d6d3d4641c4245f7c5661d4095

        SHA1

        2b49169f55b03355f069e5bb9d4b830968aad7a6

        SHA256

        76e1525d440489225632bad26040c5764c7159120b15e6e710d0dbb223ee36cf

        SHA512

        6cbaa53b4cc4d6d719c8b3240644006051e94b0540ccaa63eae8e9c00b0f0170562def460aad254efa4c49f509f9d4387b39785ba549492d9e3da7f4dcc63fec

        Download Submit

      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\d0a928d8-f815-486e-b842-1e766baf2cb3.tmp
        Filesize

        38B

        MD5

        3433ccf3e03fc35b634cd0627833b0ad

        SHA1

        789a43382e88905d6eb739ada3a8ba8c479ede02

        SHA256

        f7d5893372edaa08377cb270a99842a9c758b447b7b57c52a7b1158c0c202e6d

        SHA512

        21a29f0ef89fec310701dcad191ea4ab670edc0fc161496f7542f707b5b9ce619eb8b709a52073052b0f705d657e03a45be7560c80909e92ae7d5939ce688e9c

        Download Submit

      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
        Filesize

        183KB

        MD5

        61d22603584ded09367fd9f519c63150

        SHA1

        c1565321b6c73c5c756b71c39e32916a92c24fbc

        SHA256

        79492c43c8b9d3ae1d0680afe50f931e054ae1e5e5270bf224c1f9b5c26de56d

        SHA512

        2b35b05e593c4cb26a5f8f9622c5ec3aefdf485beb065184fa3a15bc6ba8e07ae7b561d36e03fca850ceddf4b0506d79ac40548a8085f71cd5ca520eb2305fa6

        Download Submit

      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
        Filesize

        183KB

        MD5

        f9299716a5551b2189282b1c743f1ce8

        SHA1

        af6f7b7dd19147ac67a6e54bf41738d0353506d4

        SHA256

        7f45cf0a139acb30bd397093bfae143934cb3fabeed98503b865c60fbed4b14a

        SHA512

        e9d8f921dcbf75a9324951b36695462ce090b41faf7f9cf443abd2029d606a712d6f6721c3525f4693f068fb17c8f88af3f9591dfe900a868184595d5a695d73

        Download Submit

      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
        Filesize

        100KB

        MD5

        2666af2d02879357d4437a391453b8b3

        SHA1

        3f0a07eee3494e298163bed5dde3bb5b53316a80

        SHA256

        04e51c08f31b872e405a5672a79aeb4fef5b5ef663249fec139fe7a319ff7c3a

        SHA512

        6a57ff2cbbc1f972cd5a229abb39c51c1354c724fbe28b16edfc8c5e0284bf2ec64ae00764a001ff735747ee8284e4ad7f69e788dd6c4706fc1da1de87dbfb15

        Download Submit

      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
        Filesize

        99KB

        MD5

        5a7f78cc4564e57ce53f8e8e80a12318

        SHA1

        6ec5ff016ff5d297cb9887d56a3c1dbbde1b5acb

        SHA256

        3dd74da7a8ae3372699e0788d188ed66f6f371d2f504fd804e4ba81cec4779da

        SHA512

        348690849cf987715fc4ea79cd1396d9a204141eaf6963cf28e5e7f275c300a3259981ea19eb433500a490cd12d6a7f2b861484d11a89f951e05e6fa87a1b2c6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\MSI85E9.tmp
        Filesize

        557KB

        MD5

        db7612f0fd6408d664185cfc81bef0cb

        SHA1

        19a6334ec00365b4f4e57d387ed885b32aa7c9aa

        SHA256

        e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

        SHA512

        25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

        Download Submit

      • C:\Windows\Installer\MSICA96.tmp
        Filesize

        25KB

        MD5

        81902d13c01fd8a187f3a7f2b72d5dd0

        SHA1

        0ac01518c5588eb2788730c78f0c581f79cf2ed4

        SHA256

        eef31e9195cfacde7b4e7eb7384c8178d8811063b375fd4a28ae897cc180c6a6

        SHA512

        04d6e2e937328477803084e0ef9da2c3636cdc9d34af74e2d1871d7190be21cbb2771ae835175e104e24eccba52add1ba6f58407bfd522ef82b81d76e977f24c

        Download Submit

      • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
        Filesize

        23.7MB

        MD5

        87ac979daa667c2aef09fa76307848c2

        SHA1

        90725e0acdc8ba92f1f803f58ebcfe74ef5b9f83

        SHA256

        9999d982bbd2b849b3e5670fc82287648a48ce75c68bf0f7b9f291228a591314

        SHA512

        3007d2ffdd0ae14b6a1f90c110c4fe7306791ba47324779689159f4993bca16e1259a6cb8e110c632975446aab589e7ca26277754753156d54210007a0e3249e

        Download Submit

      • \??\Volume{83bffa96-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f3ea9960-72a5-4c06-9bf6-b7279d8dbdc0}_OnDiskSnapshotProp
        Filesize

        6KB

        MD5

        9c59629e1aa06fd8281a717755d658c6

        SHA1

        63fd1e4afb93ae1981146868cbb23fd00649b2b8

        SHA256

        cac3e100ac0a52ab6c8ce658ae71b9cfc4e2c0288aaa357dd56dbfffa97bd1f7

        SHA512

        0fd193e91be49d95e35f3f6058979ffe93379e830b565375a85f736b1592d27cb2c829a68bdc9f2f1c1b7b9be704646e9915a600dcc990a0c7ffdb8bb0144e86

        Download Submit